b"   Federal Election Commission\n\n    Office of Inspector General\n\n\n\n\n             Final Report\n\nReview of Outstanding Recommendations\n          as of December 2013\n\n            February 2014\n\n\n      Assignment No. OIG-14-02\n\x0c                      Office of Inspector General\xe2\x80\x99s\n                Review of Outstanding Recommendations\n                        December 2013 Report\n\nThe Office of Inspector General (OIG) semiannually provides to the Commission the status of\noutstanding recommendations. We reviewed seven audits and inspections that had a total of 96\nrecommendations still outstanding. A total of 20 recommendations were closed. Three of the seven\naudits had no recommendations closed during this reporting period.\n\n\n\n\n                         Noteworthy Accomplishments\n   \xe2\x80\xa2   The OIG was able to close the last eight recommendations from the 2009 Follow-up of the\n       Transit Benefit program\n   \xe2\x80\xa2   The last outstanding recommendation from the 2011 Inspection of the Kastle Key Program\n       was closed\n   \xe2\x80\xa2   The final three open recommendations from the 2012 Quality Assessment of the Audit\n       Division are closed\n   \xe2\x80\xa2   Tremendous progress has been made by the OCFO under the leadership of the Acting CFO to\n       close the outstanding recommendations from the 2011 Follow-up Audit of Procurement and\n       Contract Management\n\n\n\n                                      OIG Concerns\n   \xe2\x80\xa2   FEC needs to improve the accountability of management officials to ensure compliance with\n       all aspects of Directive 50: Audit Follow-up\n   \xe2\x80\xa2   Lack of progress by ITD in addressing outstanding recommendations for the Audit of the\n       FEC\xe2\x80\x99s Property Management Controls and the Inspection of the FEC\xe2\x80\x99s Disaster Recovery\n       Plan and Continuity of Operations Plan\n\n\nMore detailed information regarding the OIG concerns can be found in the remainder of this report\nalong with the audit follow-up meetings/communications, report overview, and background. At the\nend of the report, we have attached the memo we sent to the Staff Director requesting a written\nstatement accepting the risks involved in not implementing certain OIG recommendations. We have\nbeen informed by the Deputy CIO that these recommendations are not going to be implemented.\n\x0cAudit Follow-up Meetings/Communications\nClosed Recommendations\n\n   A. Audit Follow-up Review of the FEC\xe2\x80\x99s Employee Transit Benefit Program\n\n       The June 2013 Review of Outstanding Audit Recommendations report identified eight (8)\n       open recommendations. During the period ending December 31, 2013, the OIG was able to\n       confirm that standard operating procedures, frequently asked questions, and training to reflect\n       the new FEC Directive 54 on the transit benefit program have been fully implemented. As a\n       result, we were able to close the remaining eight (8) open recommendations.\n\n\n   B. Inspection of the FEC\xe2\x80\x99s Kastle Key Program\n\n       The June 2013 Review of Outstanding Recommendations report noted one outstanding\n       recommendation for the Inspection of the FEC\xe2\x80\x99s Kastle Key Program. During this follow-up\n       review period, the OIG conducted follow-up testing on the remaining open\n                                                                                   Congratulations\n       recommendation to verify if the Administrative Services Division            to ASD for their\n       adequately implemented this recommendation. The follow-up results           commitment to\n       identified that the remaining recommendation was properly implemented,      internal controls.\n       and all findings and recommendations for this inspection have been\n       officially closed by the OIG. The OIG appreciates the ASD\xe2\x80\x99s commitment to improving\n       internal controls and their responsiveness to the OIG during the follow-up process.\n\n\n   C. Quality Assessment Audit of the Audit Division\n\n       The June 2013 Review of Outstanding Recommendations report noted Audit Division\n       management had taken corrective action that resulted in eight (8) of the\n       eleven (11) recommendations being closed. However, there was not enough     Audit Division\n       evidence to confirm that three (3) recommendations were fully implemented.  has strong\n       Thus three (3) remained open. In November 2013, OIG met with the Audit      commitment to\n       Division Program Manager to determine if sufficient evidence was available  a quality audit\n       related to the open recommendations. Based on the OIG review of             process.\n       supporting documentation, we were able to close the remaining three (3)\n       recommendations.\n\n       The OIG would like to recognize the Audit Division management for making it a priority of\n       the division to address the findings included in the audit. We specifically would like to give\n       special recognition to the Audit Division Program Manager for her dedication to promptly\n       and adequately facilitate implementation of the audit recommendations. These efforts by the\n       Audit Division have demonstrated a strong commitment to ensure a quality audit process.\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report    2|Page\n\x0cOpen Recommendations\n\n    A. Audit of the Commission\xe2\x80\x99s Property Management Controls\n\n        The Audit of the Commission\xe2\x80\x99s Property Management Controls (Property Audit) audit report\n        was released in March 2010. The responsibility of implementing the audit recommendations\n        for the Property Audit is shared by the Administrative Services Division (ASD) and the\n        Information Technology Division (ITD). The OIG has worked with the ASD Managers 1 and\n        the Deputy Chief Information Officer of Operations (Deputy CIO) to receive any updates\n        regarding the implementation of audit recommendations. The Property Audit report identified\n        36 audit recommendations; ASD is responsible for the implementation of 10\n        recommendations, and the ITD 26 of the 36 recommendations.\n\n        In the OIG\xe2\x80\x99s June 2013 outstanding recommendations report, we reported that ASD\n        completed the implementation of all the outstanding recommendations that were                        ITD\n                                                                                                             Management\n        assigned to their office and the related findings have been officially closed.\n                                                                                                             states no\n        However, for several follow-up review periods, the OIG has expressed concern with                    corrective\n        ITD\xe2\x80\x99s lack of progress in implementing their outstanding recommendations to                          actions\n        improve their management controls over FEC property. The OIG contacted ITD                           completed.\n        management this review period, and was notified that management had not\n        implemented any corrective actions since the last review period.\n\n        As reported in our prior audit, ITD has a non personnel budget of approximately\n        seven million dollars ($7 million), the largest budget (excluding personnel costs) in                Management\n                                                                                                             should be\n        the entire agency, and the OIG believes that management should be more focused to\n                                                                                                             more focused\n        ensure that the proper controls are in place to reduce the risk of any excessive cost,               to ensure\n        waste, or abuse to the agency and its programs. The OIG has reported in other audits                 proper\n        (2010 Follow-up Audit of Privacy and Data Protection; FEC\xe2\x80\x99s Annual Financial                         controls are\n        Statement Audits), that IT controls are not adequate, however ITD has failed to                      in place.\n        properly address the reported recommendations that are intended to improve the\n        agency\xe2\x80\x99s IT controls.\n\n        ITD management has decided not to implement the remaining outstanding recommendations\n        for the Audit of the Commission\xe2\x80\x99s Property Management Controls. Therefore, a written\n        response from the Staff Director confirming that management agrees to accept the risk\n        of not implementing the remaining recommendations is required in order for the OIG to\n        consider closing the remaining outstanding recommendations, and conclude audit follow-up.\n        Please see attachment 1 for Management\xe2\x80\x99s Acceptance of Risk for Outstanding\n        Recommendations for a list of the seven outstanding recommendations along with their\n        potential risk to the agency if not implemented.\n\n\n\n\n1\n The OIG has worked with one acting ASD manager and two permanent ASD managers since the completion of the\nProperty Audit due to frequent turnover in this position.\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report           3|Page\n\x0c   B. 2010 Follow-up Audit of Privacy and Data Protection\n\n       For the 2010 Follow-up Audit of Privacy and Data Protection, the OIG\xe2\x80\x99s June 2013 report\n       identified 30 open recommendations. During this review period, the OIG noted that the Co-\n       Chief Privacy Officer\xe2\x80\x99s did not provide a CAP to the Commission in November\n       2013 in accordance with Directive 50. The OIG contacted the Staff Director\xe2\x80\x99s              CAP provided\n       Office, who manages the CAPs submitted by FEC management to the Commission,               late to\n       and confirmed that a CAP was not provided. The OIG contacted the Co-Chief                 Commission.\n       Privacy Officers via email on December 18, 2013 regarding audit follow-up, but did\n       not receive a response. At the conclusion of the OIG\xe2\x80\x99s review period, the Office of the Staff\n       Director identified that the Privacy Team provided their November 2013 CAP update to the\n       Commission on December 23, 2013, nearly a month late.\n\n       The OIG reviewed the CAP submitted to the Commission and noted the memo stated that\n       \xe2\x80\x9c\xe2\x80\xa6the Privacy Team closed recommendations 8b and 10c of the corrective action plan.\xe2\x80\x9d\n       However, the OIG reviewed and verified the closures of these two items during the prior\n       review period and reported them closed in the June 2013 report. In addition, the Privacy\n       Team stated that they, \xe2\x80\x9c\xe2\x80\xa6completed task items for recommendations 4a and 4c, and\n       anticipates that these recommendations will soon be closed.\xe2\x80\x9d Due to the late submission and\n       update of the Privacy CAP, the OIG was not able to review or verify the work completed. The\n       OIG will review the items noted in the memo to the Commission regarding activity completed\n       for recommendations 4a and 4c, and any additional corrective actions during the next review\n       period.\n\n   C. 2010 Follow-up of Procurement and Contract Management\n\n       The June 2013 Review of Outstanding Recommendations report noted 17 outstanding\n       recommendations. At the request of the Office of the Chief Financial Officer\n                                                                                            OCFO making\n       (OCFO), the OIG met with the acting Chief Financial Officer (CFO) and other\n                                                                                            progress on\n       OCFO staff members in November 2013 prior to their reporting to the                  addressing\n       Commission. The purpose of the meeting was to discuss the remaining outstanding      recommendations.\n       audit recommendations, as well as additional progress made since the June 2013\n       meeting. Subsequent to the meeting, the OIG reviewed documentation obtained\n       during the meeting to support corrective actions related to some of the open recommendations\n       and updated the OIG comment section of the CAP. The OIG also met with the procurement\n       contractor in December 2013 to discuss additional progress made since November and to\n       confirm what recommendations would be officially closed by the OIG. As of December 31,\n       2013, the OIG has closed an additional eight (8) recommendations. The OIG would like to\n       note that the OCFO, under the leadership of the acting CFO, has been working\n       diligently over the past year to address the outstanding recommendations. As a result, 20\n       of 29 total recommendations originally reported in the 2010 Follow-up Audit of Procurement\n       and Contract Management have been closed over the past 12 months.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report   4|Page\n\x0c   D. Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of Operations Plans\n\n       The OIG initiated the Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of\n       Operations Plans (COOP Inspection) due to:\n          \xe2\x80\xa2 repeat findings related to the agency\xe2\x80\x99s contingency plan in the FEC\xe2\x80\x99s annual financial\n              statement audit since FY 2004;\n          \xe2\x80\xa2 the agency hiring a contractor for approximately $277,000 in FY 2008 to assist with\n              the development of contingency plans for the FEC program offices that where never\n              fully tested; and\n          \xe2\x80\xa2 management\xe2\x80\x99s non-compliance with applicable laws and regulations for properly\n              training FEC personnel on their COOP plans.\n\n       Since the inspection report was released in January 2013, this review period is the first\n       follow-up for the COOP Inspection. However, the OIG did not verify implementation of any\n       corrective actions because management has not made any progress. In November 2013, the\n       Deputy Chief Information Officer stated in a memo to the Commission that \xe2\x80\x9cThere have been\n       no updates since the last circulation [of the CAP] due to budget constraints but it is our goal\n       to revise and update the current plan during FY 2014.\xe2\x80\x9d\n\n       The OIG is concerned with the lack of progress and commitment by the                        Management\n       Information Technology Division to address the numerous problems found                      aware of\n       during our inspection. Further, the OIG would like to note that our office has              issues for\n       reported on weaknesses in this area since FY 2004 in the agency\xe2\x80\x99s annual financial          several years.\n       statement audits. Management has been aware of the agency\xe2\x80\x99s issues for several years,\n       and neglected to promptly implement corrective actions.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report    5|Page\n\x0cThe table below summarizes the progress made by FEC management during the past six months and\nthe outstanding recommendations as of December 2013.\n\n\n\n                                                                                            2\n          Title & Report Date                                                               Total Open\n                                            Total Outstanding           Total Closed\n                 of OIG                                                                       as of\n                                            Recommendations             and Verified\n           Audits/Inspection                                                              December 2013\n                                             as of June 2013              by OIG\n\n     Audit Follow-up Review of the\n     FEC\xe2\x80\x99s Employee Transit                           8                       8                   0\n     Benefit Program (7/2009)\n     Audit of the Commission\xe2\x80\x99s\n     Property Management Controls                     7                       0                   7\n     (3/2010)\n     2010 Follow-up Audit of\n     Privacy and Data Protection                     30                       0                   30\n     (3/2011)\n     2010 Follow-up Audit of\n     Procurement and Contract                        17                       8                   9\n     Management (6/2011)\n     Inspection of the FEC\xe2\x80\x99s Kastle\n                                                      1                       1                   0\n     Key Program (12/2011)\n     Quality Assessment Audit of\n                                                      3                       3                   0\n     the Audit Division (9/2012)\n     Inspection of the FEC\xe2\x80\x99s\n     Disaster Recovery Plan and\n                                                     30                       0                   30\n     Continuity of Operations Plans\n     (1/2013)\n                                                                                                  76\n                          Total Outstanding Recommendations\n\n\n\n\n2\n \xe2\x80\x9cTotal Open as of December 2013\xe2\x80\x9d column includes recommendations that management has disagreed with or has not\nadequately implemented, and the OIG concludes that these recommendations are still \xe2\x80\x98open.\xe2\x80\x99\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report               6|Page\n\x0cOIG Concerns\n\nAs reported in our June 2013 Review of Outstanding Recommendations report, the FEC              Accountability\nneeds to improve the accountability of management officials necessary to ensure                 of management\ncompliance with all aspects of Directive 50: Audit Follow-up. It is essential that the          officials needs\nCommission not only requires management to report on a semi-annual basis the status of          improvement.\noutstanding recommendations, but also develops a process to ensure the Audit Follow-up\nOfficials are being held accountable for implementing outstanding recommendations in a timely\nmanner that are beneficial to the agency\xe2\x80\x99s mission and will improve agency programs. Without the\naccountability necessary to ensure corrective actions are taken by management, the mission of the\nagency is consistently operating under weaker controls that can increase cost, expose the agency to\nrisks, and increase the potential of fraud, waste, and abuse to agency programs.\n                                                                                              Pattern of lack of\nIn addition, the OIG is concerned with the lack of progress by the Information                progress by ITD\nTechnology Division to address outstanding recommendations for the Audit of the FEC\xe2\x80\x99s         on outstanding\nProperty Management Controls and the Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan           recommendations.\nand Continuity of Operations Plan.\n\n\n\n\nReport Overview\nThis report provides the Commission and management the results of the Office of Inspector\nGeneral\xe2\x80\x99s (OIG) review of outstanding OIG recommendations as of December 2013.\n\nAs required by the Inspector General Act of 1978, as amended, the Office of Inspector General (OIG)\nis responsible for conducting audits of the Federal Election Commission\xe2\x80\x99s (FEC) programs and\noperations. In addition to conducting and supervising audits, the OIG also has the responsibility to\nconduct audit follow-ups to ensure that management has effectively implemented OIG\nrecommendations. Audit follow-up, to include the timely implementation of audit recommendations\nby FEC management, is required by Office of Management and Budget Circular A-50, Audit Follow-\nup, as revised, and FEC Directive 50: Audit Follow-up.\n\nIn order to work effectively with FEC management in adhering to FEC Directive 50, and to ensure\ncontinuous monitoring and adequate and timely audit resolution, the OIG communicates with\nmanagement at least semiannually to discuss the status of outstanding OIG recommendations. If\nmanagement has implemented any corrective actions, the OIG schedules a meeting with management\nto discuss the implementation of the corrective action(s), and the OIG then reviews evidence of the\ncorrective action (i.e. new/updated policies, procedures, and processes to improve internal controls).\n\nBased on management\xe2\x80\x99s availability, the OIG strives to schedule these meetings to provide\nmanagement with the results of our review prior to management\xe2\x80\x99s reporting deadlines to the\nCommission in May and November. These meetings can provide management with timely OIG\nfeedback for their semiannual reports to the Commission and enables the OIG to keep abreast of\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report    7|Page\n\x0cmanagement\xe2\x80\x99s progress. The semiannual meetings are also intended to assist the audit follow-up\nofficial in following provisions 4 through 6 of Directive 50, which are listed as follows:\n\n       \xe2\x80\x9c(4) Respond in a timely manner to all audit reports;\n        (5) Engage in a good faith effort to resolve all disagreements; and\n        (6) Produce semi-annual reports that are submitted to the agency head.\xe2\x80\x9d\n\nFEC management is required by FEC Directive 50 to provide semiannual status reports (May and\nNovember) to the Commission of their progress concerning outstanding OIG recommendations. The\nofficial status (open/closed) of OIG recommendations is determined by the OIG once the OIG has\nverified that management has adequately implemented the corrective actions. The Inspector General\ncan also make a decision to close recommendations or seek resolution from the Commission for\nrecommendations where the OIG and management disagree. Lastly, the number of outstanding\nrecommendations is reported to the Commission and Congress in the OIG\xe2\x80\x99s Semiannual Reports to\nCongress.\n\n\nBackground\nAt the conclusion of each OIG audit and inspection, it is management\xe2\x80\x99s responsibility to develop a\ncorrective action plan (CAP). The CAP identifies the plan management has developed to address the\nOIG\xe2\x80\x99s findings and recommendations. The CAP should detail the following:\n\n   1. assignment of Audit Follow-up Official (AFO), who is responsible for overseeing the\n      corrective action;\n   2. OIG finding(s);\n   3. OIG recommendation(s);\n   4. detailed corrective action to implement the OIG\xe2\x80\x99s recommendation(s);\n   5. FEC staff person with responsibility to implement each task; and\n   6. expected completion dates.\n\nOnce management drafts the CAP, the OIG then reviews their CAP and provides comments to\nmanagement regarding the sufficiency of their planned corrective actions to address the OIG\xe2\x80\x99s\nfindings. Management reviews the OIG\xe2\x80\x99s comments, finalizes the CAP, and then provides the final\nCAP to the Commission with a courtesy copy to the OIG.\n\nFEC Directive 50 requires management to:\n\n       \xe2\x80\x9c(3) Conduct regular meetings with the Inspector General throughout the year to follow-up\n       on outstanding findings and recommendations, and include reports of these meetings in the\n       written corrective action plan and semi-annual reports required to be presented to the\n       Commission\xe2\x80\xa6;\xe2\x80\x9d\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations December 2013 Report   8|Page\n\x0c                                                                                Attachment 1\n\n\n\n\n                  FEDERAL ELECTION COMMISSION\n                  WASHINGTON, D.C. 20463\n                  Office of Inspector General\n\n\n\n\nMEMORANDUM\n\nTO:           Alec Palmer\n              Staff Director/Chief Information Officer\n\nFROM:         Lynne A. McFarland\n              Inspector General\n\nSUBJECT:      Risk Acceptance Statement: December 2013 Review of Outstanding\n              Recommendations Report\n\nDATE:         February 10, 2014\n\nThe Office of Inspector General (OIG) is finalizing the December 2013 Review of\nOutstanding Recommendations Report to be released February 2014. As you know, the\nOIG\xe2\x80\x99s outstanding recommendations report details the results of the OIG\xe2\x80\x99s follow-up\nreviews for audit and inspections that have outstanding recommendations for six months\nor more.\n\nAs of December 2013, the Audit of the FEC\xe2\x80\x99s Property Management Controls has several\nrecommendations that have been outstanding for over three years. The OIG has reported\non our concern with the lack of progress from ITD management since June 2012, and our\nsoon to be released report on outstanding recommendations reiterates the OIG\xe2\x80\x99s concern.\nThe audit follow-up official has stated during OIG follow-up reviews that no further\ncorrective actions will be implemented to address the remaining recommendations and\nmanagement considers the recommendations closed. Therefore, the OIG\xe2\x80\x99s December\n2013 Review of Outstanding Recommendations Report is requesting a written statement\nfrom the Staff Director accepting the risk of the outstanding recommendations in order\nfor the OIG to officially close the open recommendations. A list of the outstanding\nrecommendations, and the risks associated with not implementing the recommendations,\nis attached with this memo and will also be included in the final report.\n\nIn addition, the OIG is aware that ITD is in the process of replacing the Blackberry\ndevices with iPhones. The OIG would like to note that the outstanding recommendations\nare applicable to the iPhone and any other cellular phone device the agency may procure.\nBased on the OIG\xe2\x80\x99s knowledge of the agency\xe2\x80\x99s lack of controls in this area, the OIG\nbelieves the roll-out of the new iPhone devices would be the opportune time for\nmanagement to implement the remaining outstanding recommendations to improve the\nagency\xe2\x80\x99s controls.\n\x0cThe OIG is requesting a written statement from the Staff Director by March 3, 2014 in\nresponse to accepting the risk of the outstanding recommendations for the Audit of the\nProperty Management Controls in order for the OIG to properly plan for the next audit\nfollow-up review period. If you decide to implement one or more of the outstanding\nrecommendations, based on the risks outlined in this memorandum, please let me know\nby March 3, 2014 so that I can schedule a review of the corrective action(s) at a future\ndate.\n\nThank you.\n\nAttachment\n\n\n\n\n                                            2\n\x0cManagement\xe2\x80\x99s Acceptance of Risk for the Audit of the FEC\xe2\x80\x99s Property Management\nControls Outstanding Recommendations\n\nThe Office of Inspector General is requesting a written statement from the Staff Director\nin regards to the remaining open recommendations from the Audit of the FEC\xe2\x80\x99s Property\nManagement Controls that are listed below. In order to close these recommendations and\nconclude the follow-up process, the Staff Director should state that management will\naccept the risk of not implementing the outstanding recommendations. Below are the\noutstanding recommendations and their associated risks.\n\n   1. Recommendation 1h: Document the ITD re-authorization process of PCD\n      [personal communication device/Blackberry] users in ITD's Policy 58-4.4\n          \xe2\x80\xa2 Risk: Waste of agency funding.\n                 \xef\x82\xa7 The re-authorization of PCD users is an internal control to help\n                   ensure that staff provided a Blackberry continue to have a need for\n                   the device. Staffs\xe2\x80\x99 job responsibilities change over time, and their\n                   need for a Blackberry can change. Therefore, it is important to\n                   periodically review the staff assigned a Blackberry to make sure\n                   the expenditure of funds for the Blackberry service is still required.\n                   As ITD is the office with oversight of the Blackberry devices,\n                   ITD\xe2\x80\x99s refusal to periodically re-authorize the users means ITD may\n                   be unaware if the agency is wasting funds on FEC personnel or\n                   contractors who no longer have a business need for an FEC issued\n                   Blackberry.\n\n   2. Recommendation 1k: Provide the policies and procedures for the use of\n      Blackberry devices to all users when issuing the Blackberry.\n         \xe2\x80\xa2 Risk: Abuse of government property.\n                \xef\x82\xa7 Blackberry devices issued to authorized users have the potential to\n                    be misused (excessive personal use, downloading of unauthorized\n                    applications, viewing prohibited information on a government\n                    issued device, etc.) if users are not aware of polices and procedures\n                    for using an FEC issued Blackberry.\n\n   3. Recommendation 2a: All unassigned Blackberry devices should be suspended or\n      service should be terminated if the device can not be immediately transferred to\n      another user (no active spares kept in ITD). At the time of our inspection, ITD\n      retained a minimum of 10 inactive spare devices (many of the spares were left\n      active incurring monthly charges) and a spare Subscriber Identity Module (SIM)\n      card (portable memory chip). If required, a device could be activated within 24\n      hours.\n          \xe2\x80\xa2 Risk: Fraud and no internal control.\n                 \xef\x82\xa7 In a prior audit follow-up, management stated that they have\n                     decreased the number of spare devices on hand to three. Although\n                     the OIG agrees that three spare devices is more reasonable than the\n                     previous 10 spares, the OIG reviewed devices listed as unassigned\n                     (spare) on the agency\xe2\x80\x99s AT&T monthly bill and they showed\n                     activity (in use) and were listed as assigned to FEC personnel on\n                                           3\n\x0c                   the inventory list. As a result, ITD is not maintaining accurate\n                   records of the unassigned Blackberry devices. Because these\n                   devices are not properly tracked, management runs the risk of\n                   potential fraud (stolen devices, unauthorized activity) because ITD\n                   does not maintain proper records of spare devices.\n\n4. Recommendation 2f: Blackberry user information should be kept up to date and\n   adjusted in a timely manner on the ITD master Blackberry listing and the AT&T\n   Premier website for employee separations and new assignment of devices.\n       \xe2\x80\xa2 Risk: Fraud and no internal control.\n               \xef\x82\xa7 Because these devices are not properly tracked, management runs\n                   the risk of potential fraud (stolen devices) because ITD does not\n                   maintain proper inventory records, and it\xe2\x80\x99s likely these devices\n                   would not be detected as missing.\n\n5. Recommendation 2g: Management should educate Blackberry users of all features\n   that incur additional cost to the agency, such as: roaming charges that result when\n   employees place calls outside AT&T service areas; texting; directory assistance;\n   unauthorized software, and voice use over the pooled plan limits.\n       \xe2\x80\xa2 Risk: Waste of agency funding and abuse of government property.\n               \xef\x82\xa7 The agency is at risk of wasting funds on unauthorized device\n                   features that cost additional money beyond the agency\xe2\x80\x99s plan.\n                   There is also potential for abuse by users in using their agency\n                   issued devices for excessive personal use. Both instances have\n                   been identified by the OIG and reported to management during the\n                   initial audit and in prior follow-up reviews.\n\n6. Recommendation 3: ITD should implement a form and process such as the NIST\n   Sample Sanitization Validation form, to record sanitization (wiping) of devices,\n   disposal and/or destruction, as appropriate.\n       \xe2\x80\xa2 Risk: Data breaches and fraud.\n              \xef\x82\xa7 Old devices that are no longer in use run the risk of containing\n                  sensitive information from emails/attachments if management has\n                  no record that the device has been properly sanitized prior to\n                  transferring the device as surplus to the General Services\n                  Administration. In addition, if the device is to be destroyed and\n                  there is no record of the destruction, there is a risk that the device\n                  can be removed from the agency and used for personal use or\n                  prohibited activity (selling an agency issued device).\n\n\n\n\n                                          4\n\x0c7. Recommendation 3e: Segregate the following program functions among three or\n   more ITD staff: Purchasing/ordering and recording assets; Authorization for\n   purchases, including devices received free under upgrade promotion; Receipt,\n   storage, and distributing of assets; and Destruction or disposal of surplus PCDs.\n       \xe2\x80\xa2 Risk: Waste of agency funds and fraud.\n          \xef\x82\xa7 Having one person to oversee all purchasing, recording, and storage\n              responsibilities for Blackberry devices presents the risk of a) wasting\n              agency funds on additional devices that are purchased for prohibited\n              activity; b) abuse of agency devices being used as personal use; and c)\n              creating fraudulent documentation and records to prevent the detection\n              of prohibited activity of agency issued devices.\n\n\n\n\n                                        5\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c"